b'              STATE COMPUTER SECURITY\n\n\n\n\n\nOFFICE OF \n        INSPECTOR GENERAL\nOFFICE OF ANALYSIS AND INSPECTIONS\n\n                                     DECEMER 1988\n\x0c                         OFFICE OF INSPECTOR GENERAL\n\nThe mission of the Ofce of Insper Gener (010) is to promote the effciency, effective\xc2\xad\nness and integrty ofprogr   in the Unite States Deparent of Health and Human Services\n(HS). It dos this by developing method to detet and prvent frud, waste and abuse.\nCrate by statute in 1976, the Inspto Genera keeps both the Secta and the Congrss\nfuly and curntly inormed about    prgr   or maagement prblems and reommends cor\xc2\xad\nretive action. The 010   peor    its mision by conductig audits, investigations and inspec\xc2\xad\ntions with   apprxily    1.200 sta strtegicaly locate arund the countr.\n\n\n                    OFFCE OF ANALYSIS AND INSPECll0NS\nTh    re\nmajor offces\n            is pruced by the Ofce of Analysis and Insptions (OAl, one of the the\n               with the 010. The other two ar the Ofce of Audit and the Office of Inves\xc2\xad\ntigations. OAI conducts insptions whih ar tyicaly short-te studies designed to deter\xc2\xad\nmie   prgr     effecveness, effciency and vuncrilty to frd and abuse.\n\n\n\n\n                                     THIS REPORT\nThe re is entied "Sta Coute Secmity.th" It was conduct\ncompute relat frud which found that one-       frud involvig Ooverent\n                                                                     as follow-up to a study of\n                                                                                         funds\nwer cott\n                                          of the\n              on Sta and loc compute systms. Th sty           identisought to         State ef\xc2\xad\nfor to               compute securty on\n         pla and implement                            steg fedy-\n                                                   systems\n                                                             admini                funded\nprgr.\nTh sty was prpar by the Regional\ntions, New Yor Region.\n                                        In           Gener Ofce of Anysis and Insp\xc2\xad\n                          Papatg on the prjet we the followig:\n\nNew York\nJack Molnar (Pjet   Le)                     Al Stubbs\n\nJohn Trazyk                                Lena Czjka\n                                            Aprl      Wi11am\n\nDallas\nRaph Tunell\n\n\x0c     STATE COMPUTER SECURITY\n\n\n\n\n\n                 Richard P. Kusrow\n                 INSPECTOR GENERAL\n\n\n\n\nOAI- 02-800630                       1EC& \';88\n\x0c                                                                                         EXECUTIVE SUMMARY\n\n                       BACKGROUND\n\n                       The PUlse of \n\n                                                    this inspection was\n\n                       securty On systems                                                      to identify State effons to\n\n                                                        admnisterig f\n\n                   reuirnts ar                       having On the Statesderay funde\n                                                                                                                                                       plan\n                                                                                                                                                                 and implement comPUter\n                   th of cOIDuter\xc2\xad\n                                                       relate\n                                                                                                    efon. It \n\n                                                                                                                            Was\n                                                                                                                                  Pro=""and to assess the effect Federal\n                  ci     On Integrty and                               involvig\n                                                                    &ads                                                           intiate out of an\n\n                                                                                                                                                                        aWarness that\n                                                            Efciency, Wer COlItt                             Fed\n                                                                                                                              fuds, as\n                                                                                                                                                identied by                                       One-\n                 Ther we two phases of activity in                                                                    On Stae            cOIDUte syste.\n                                                                                                                                                                              the Prdent s COun-\n                 compute securty \n\n                                                                                               ths inpection. Initiy,\n                 to identi relevantWas reviwed and metigs\n                                    reuil1nts an           were conducte with guidace to States On\n                                                                                                                                                    Fed\n                stuy\n                      shoul\n                             focs On\n                                       the Aid to Fames                       apprprite       IInitog                                                                                Fed\n               Stap Progrs.                                  prtices.\n                                                        With DependntIt Chin\n                                                                        Was\n                                                                            then detered       stas\n                                                                                         that the\n                                                                             , Mecaid an FOO\n               The send pha\n                                                  include\n               Proessig (ADP)                                      viits\n                                                                                                Staes to dicuss compute securty with automatic\n               sury of Sta                        an prgr                    sta\n                                                                                   to   12\n\n\n\n                                                                      Wer reponsible not an audit of the\n                                                                                             This\n                                               ofcial who                                              Was\n               sor a varety of securty \n                                                                                                                                                          data\n             sha data cente and                                 envimnnts. The            The\n                                                                        selection crtea inclUd State\n                                                                                                              fo the systems.\n                                                                                                                                                          Sta syste,\n\n                                                                                                                                                                                     but    rather a\n                                                     use of enhance fudig.  At\n                                                                                                       Wer selected to\n\n                                                                                                                                                                                                   as\xc2\xad\n             the State and \n\n                                        local sites.\n                                                                                eah State, dicussionsprogr      siz,                                                                        use of\n                                                                                                                                                                          we held at both\n           FINDINGS\n\n          Federa SecUr Guidae Has\n                                                                           limid 11I/1t On\n          Sta comUte seurty effon                                                                                     Stas\n          mon    Fed gndace and                                    vared signficantly\n      P1 ca                       for     such      Vartion.\n                                                                monitog, and                                        States\n                                                                                                                   amg th\n                                                                                                    mied leve of intest  in seurty                      visite\n                                                                                                                                                                        The\n                                                                                                                                                                              of com\xc2\xad\n                                                                                                                                                                         "P\n                                                                                                                                                                               lac\n     Agrultu                                                               Audts\n                         (USDA)                                                              by the\n     the dee1OPl1nt of State \n\n                                                 and State legilative                                                             Gene for th U                                        to be the\n                                                                                             prsor appe to be\n    securty progrs.                                    SCty\n                                                                       pr=..                   States without suchth\n                                                                                                                                                                   S.    DeParent of\n                                                                                                                                                                 facrs inuencing\n                                                                                                                                           inuence had\n\n  I\'\n   Examles\n\n\n\n\n we able to nOt\n                    of th lite imact\n                that thy Wer unwar of of\n                                      fig\n                                               seurty guda ar\n                                         any Fed coUte\n                                                                      Fed\n                                                                                                                                         that 3 of the\n                                                                                                                                                                         less organze\n\n\n the      Fed                    or renundtions reultig seurty                                                                                                     12 States \n\n                                                                                                                                                                                     visite\nRevenue Servce \n\nreguations. Seven \n\n                    reuirments\n                          (IS)\n                                we too gener to be of any value.\n                               gudace\n                                                           &o\n                                                                  in the           Incom an E.g1bilty Th\n                                                                                                                                   Fe      Slada,\n\n\n\n\n                                                                                                                                           exception\n                                                                                                                                                    IDnitog. SOI1\n                                                                                                                                                                  an only 4 States\n                                                                                                                                                                                           said\n                                                                                                                  Vertion SyStm th Inteal\n                                        State tok                                                                                                                 Was\nburnso,                                                         strng exception to\n                           as   weU\n                                          as     inapPmri                   to the \n\n                                                                                                         thse reuimets beuse     (IVS)\n                                                                                        IEVS\n                                                                                                       use of IRS data                                             they ar           too\n\x0c                                                                                              vir-\nWhen asked what they believed would be an appropriate   They want\n                                              this ara.Federa       comrehensive\n                                                              role, State           regula-\n                                                                          agencies were\ntually unanus in  thei desir for assistace in\n                             with supportng guida\n                                                      . They  ar split about the level of\ntions, common to all\n                       progrs\n                          field visitS, the others preferred the submission of vulnerabilty as-\nmonitoring; hal opted for\nsessmentS. The Assistant\n                          Secrta for Management and Budgetsecuty   (ASMB) issued proposed\nregutio    that include a common    stada     for Sta  computer          on fedraly funded\n\n                                      submission of vulnerabilty assessments.\nsystems and monitoring though the\n                            Controls\n Stats Have Good Access \n\n                                                identication numbers,\n                                                                          termnal identifiers and\n Access contrls in\n                    the fonn of passwords and                           the State securty\n                                                    ar the strngths of\n audit trls of persons  who  had  used the  system                         \' abilty to create or\n progrs. Vutaly al        States used access   controls to limit employees\n                                                                use. However, despite the apparent-\n mod fies, and to keep     a log of trsactions and system                   the States, a potential\n                       implemente     acss contrl effor note among\n ly well designed and\n  vuerabilty to the protectio of personal data was noted in a number of States.\n                                                                      Whe this pratice does not\n  Firt, may States issue generic passwords for query        function.\n                                                     prit out client reords, it\n                                                                                 does crate oppor\xc2\xad\n                 unauthorized   persons  to  view or              may  Sta    ar  intrucing, or in\xc2\xad\n  dictly permt\n  tuty for acces which is not    eaily lDmto          Secondy,\n\n  crasing the use of, personal computers\n                          crated  for sta offces as opposed to\n                                                                progr,\n                                          which have access to the client data bases.\n                                                                          crates  the Such\n                                                                                      oppor\xc2\xad\n  access, which is usualy\n                               quantities of data\n  tUity for downoading large\n\n   Stats Need to Strengthen Security in Specific Areas\n                                            documente by the absence of some commonly ac\xc2\xad\n   Weakess in State computer securty is\n   cepted pratices:\n\n                                                                     computer securty plan fully\n         Tb-quarrs       of the States visited do not have a spifc\n          implemente\n                                                 monitore computer       seurty at remote sites.\n          Only the States have plans for, and\n                                                             rik analyses to evaluate \n\n                                                                                       their security.\n                               vulnerabilty assessments or\n          Only twO States do\n                                                    backgrund checks.\n           Only four States do personnel security\n\n           Contigency plans generay exist\n                                               on paper, but only   th   plas have been   tested.\n\x0cRECOMMENDATIONS\n\nDurg the course of this inspection, the Office of Inspector General tWice reommended chan\xc2\xad\nges to ASMB\' s Notice of Prposed Rule Makng (NPRM), " Automatic Data Processing Equip\xc2\xad\n                                                                " The recommendations\n\nment and Services; Conditions for Federa Financial Parcipation.\n\nincluded:\n\n     Modying the NPRM to specifically require that the States have a single security plan.\n\n      Addg a requirment for review of data securty in addition to physical security\n      reviews.\n\n      Establishing a clearly defied relationship between generic securty requirements and\n      progr-specific reuirments.\n\nThe recommendations listed above were incorprated into the NPRM. We recommend that\nthe Deparnt issue the common computer securty       stada   in fmal form with a risk\nanalysis requiment. Addtionaly, monitorig or   review  proedures  for these regulations\nshould be established.\n\x0c                                 .... ....... ... .... ...................................   ................................................\n                       .......................... ....... .................... ......................................... ..............\n\n\n\n\n                                                    TABLE OF CONTENTS\n\n\n\nEXECUTIVE SUMMARY\n\nINTRODUCTION... .................... ....... .................... ........... \n\n                                                                              .......................................... 1\n\n    Pu rpose\n      Backg ro und \n\n                                                    ........................................ (I........................ ..................\n\n      Methodo logy.......... \n\n\n\n\n\nFINDI NGS\n                 ................................................................................................................. 4\n\nRECOMMENDATIONS ..........................................\n                                                                                       ................................................... 9\n\nAG ENCY COMMENTS................................................ ..............................................\n\n                                                                                                                                            10\n\x0c                                      INTRODUCTION\n\n\nPURPOSE\n\nThe purose of this inspection was to identify State effons to plan and implement computer\nsecurty on systems admnisterig federaly funded progra ns, and to assess the effect Federa\nrequirments ar    having on the States \'   effons.\n\nBACKGROUND\n\nWhile the securty of Federa computer systems has long been monitored by both Congrss\nand the Executive Brach, it is only recently that attention has begu to focus on State com\xc2\xad\nputer systems use in the adstration of fedraly fuded program. Beyond the fact that\nsigncant Fedral funds are used to develop and adister these systems and ar expended\nthugh these systems, a number of recent events have rased questions as to the qualty of\nState computer securty.\n\nIn 1985, the Prsident s Council on Integrty and Efficiency (PCIE) reuested the Inspector\nGenera (10) for the Deparent of Health and Huma Servces        (H)   conduct a study of\ncomputer-related frud in governent agencies. That inspection include interviews with 46\nperptrtors to lear about their individual cres and the system vulerabilties that existed\nwhich alowed these cres to occur. Al of the perpetrtors held positions with some degree\nof involvement in the agency s computer system. A number of the State and local agency per\xc2\xad\npetrtors charcterize their agency s existig computer seurty and internal controls as weak\nand, therefore, vuerable to the tye of      cre\n                                              they commtted. The study also found that 43\npercent of these State and local employees had previous cral reor when hired by their\nagency.\n\nCongrss has also exprsse concern that computer securty systems have inadequate contrls\nwhich leave them vulerable to improper use and inadeuate proteCtion of privacy. Several\nlegislative intiatives have been introduced whichadss   the problems involving the securty\nof computer systems in federay funde        progr.The Office of Technology Assessment,\nthe research ar of Congrss, issued a report which wared that the opportities for un-\nauthorize access to and use of governent computer data have incrased and also identified\nthe computer matching perfored by \\State agencies as an ara where protection of data may\nbe insufcient.\n\n\n\nThe U. S. Deparent of Agrcultu s (USDA) 10 found computer system vunerabilities at\nState and local agencies adsterig Foo and Nutrtion Service (FS) progrs. Its 1984\naudit of 13 non-Fedra computer systems adisterg Foo Stap progrs found weak\xc2\xad\nnesses in al of them, leadg the 10 to consider these systems highly vulerable. It also\nreport that FNS had not issued any securty guidelines for non-Federa systems and needed\nto improve its monitorig of these systems.\n\x0cAnother concern is the relative lack of Federa guidace for State computer securty as op\xc2\xad\nposed to Federa systems. Federal standas for Federal systems, which run thousands of\npages and include NSDD- 145, Office of Management and Budget (OMB) Cirulars A- 130\nand Federal Inormtion Processing Standa (FIS) publications, requi each agency to\nhave its own computer securty program. These Federa computer securty progrs ar\nmonitored by individual agencies and OMB though the A- 123 process, by Inspectors General\ninternal reviews, as well as by the General Accounting Office.\n\nBy comparson , Federa   stada     for State systems ar a patch-work of uncoordnated regula\xc2\xad\ntions. Each Federal agency, in overseeing the State adistration of its programs, issues\nguidelies; only some of them include  stada      on computer securty. The agency may also\nissue dierig stadads dependig upon whether or not the State receives enhanced (Le. , 75\nor 90 percent) Federa fundig for its ADP system. Those Fedra      stada  which do exist\nvar in degr and tyes of securty reuired, and may someties duplicate or confict with\neach other or with State requirments. Ths may present compliance diffculties for those\nStates which process more than one Federa program at the same computer center.\n\nAmong the varous program, Medicaid (title    XI   of the Social Securty Act) has had regula\xc2\xad\ntions in place for almost 15 year providig for enhanced Federal Financial Parcipation\n(FF) for the Medcaid Maagement Informtion System (MMS) for States reuestig it.\nHowever, an amendment that reuired the development of securty stada for MMS, not\nenacted unti 1980, alows States to conduct internal reviews using stada developed by the\nDeparent. A yearly review by the Health Car Financing Admnistrtion     (HCFA) of the\nStates \' systems was requird unti 1985 when the Consolidated Omnbus Reconciiation Act\n(COBRA) revise the frquency of reviews to once every 3 years. The      stada   issued to the\nStates ar genera in natu and the specifc development of State secmity criteria is left to the\nStates.\n\nWith regar to the Aid to Famlies with Dependat Chidrn       Prgr  (AFC), a general state\xc2\xad\nment reuirg safeguar for inormtion existe for may years, but no discussion of State\ncomputer securty existed unti Public Law 96-265 was enacted, with the regulations effective\nin 1981. Public Law 96-265 alowed States to reuest enhanced fundig for the development\nof a computeri informtion system which met       cer stada,     includig secmity against\nunauthor access to or use of data The law also\nsystem s compliance with the stada.\n                                                  reui   the Deparent to monitor the\n\n\nWithin USDA, the FNS, which monitors the Foo Stap progr, issued an           ADP Security\nGuide which prvides States with genera automatic data processing (ADP) security\ngudelies for developing their own seurty progrs. These       stada,      which were\ndevelope as a result of the 1984 audit noted above, apply to States with or without enhanced\nfundig.\n\nA reassessment of computer system securty   progr     of States is now occurg due to the\npassage of Public Law 98- 369, the Deficit Reduction Act of 1985 (DEFRA), which crated\nthe Income and Eligibilty Verification System (IEVS). Ths law\n                                                                  reuirs AFC, Medicaid,\n\x0c                                             \' " ...\n\n\n\n\nFoo Staps and other program to receive income information from the Internal Revenue\nService (IS) and Social Securty Admnistration (SSA), and to use it in determning\napplicants \' eligibilty for progr benefits. All progrs were requird to sta using IEVS by\nSeptember 30, 1986. Both the IRS and SSA have personal data safeguarding guidelines\nwhich al agencies obtaiing inormation from them must           follow. The IRS          Tax Informtion\n\nSecurity Guidelines \n                         areas of computer securty and record\n                        goes into specifc deta on\nsafekeeping. It also requirs                 to the Federal fundig agency on the status of\n                                a periodc report\nsafeguarg proedures. The SSA issued securty instrctions in its Progr Operations\nManual which apply to States that obtan informtion from the Benefit and Earings Data Ex\xc2\xad\nchange (BENDEX) or Supplementa Data Exchange (SDX) systems. However, SSA is cur\xc2\xad\nrently in the proess of changig these requirments by adoptig the IRS requirements.\n\nTo ad to the concern at the Federa level, States \' assessments of their own securty progrms\noffer litte reassurance. The National Association for State Information Systems (NASIS)\nstated in its 1984-1985 report that States  data securty appear to be far from an ac\xc2\xad\ncomplished fact and that progrss in establishig physical securty at States \' data centers does\nnot appear to have been made. " Of the States reportng as par of the NASIS surey, half\nvoluntere that their data centers do not have a seurty plan.\nMETHODOLOGY\n\n1bere were two phass of activity in ths inspection. Intialy, Federa gudace to States on\ncomputer securty was reviewed and meetings were conducted with                   appropriate Federal staffs\nto identi relevant requirments and monitorig           pratices. Based upon          these activities, it was\ndetemred that the study should focus on the AFC, Medcaid and Foo Stap progrms.\nThe second phas was to visit 12 States to discuss computer securty with ADP and program\nsta. The States were selected to assur a varety of securty envirnments. The selection\ncrte   include progr size, use of shar data centers and use of enhanced funding. At\neach Sta, discussions were held at both the State and local sites. The States visited were:\n\n         Caorna                    Florida                  Georgia\n         Ilois                     Marland                  Michigan\n         New Jersey                New York                 Pennsylvania\n         Texas                     Vermont                  Washington\n\x0c                                         FINDINGS\n\nStat Computer Systems and     Operatng Environments Var\n\nUnlike many Federal agencies or the Medicar caners and intennediares, not all State human\nservice agencies own and operate their own computer systems. Six of the 12 States visited\noperated though a centralzed ADP agency. These agencies, which may be peer agencies to\nthe human service agencies or components within a larger admnistrative servces agency,\nhouse and operate the State computer systems. Among the States we visited, the centralzed\nADP agencies served frm 32 to 61 other agencies besides the human service agency. While\nthis situation is not a problem in and of itself, it has implications for the implementation of\nprogr specifc regulations and guidelines that relate to computer systems such as computer\nsecurty.\n\nFirt, these  centraled ADP agencies have their own operatig rules and regulations as well as\nadtrtive         systems that addrss computer securty. Often these rules and systems ar the\nresult of State law or policy. Second, because as many as 10 dierent federay funded\nprogrs are served by some of the centtd ADP agencies, the ADP agencies are potential\xc2\xad\nly obligated to be in compliance with al of the varous Federa agency requirements. The lack\nof Fedra recognition of this workig envirnment has crated a problem for some States.\nSpecifcally, the IRS securty reuirments under IEVS reuir the progr officials to per\xc2\xad\nsonaly supervse the processing of the IRS tapes. However, they do not have access to the\ncentr data center. Under nonnal operatig proedurs, progr officials would simply send\na tape to the data center for pressing. In practice, States appear to be ignoring the IRS re\xc2\xad\nquiment because it is not prctical.\nOn the other hand, tWo of the centrzed ADP agencies reponed that they were unawar of\nany Fedra computer securty requiments that might apply. Th occur for two reasons:\nf1It, because of uneven and someties weak Fedra monitorig of progr-specific com\xc2\xad\nputer securty reuirments; second, because Federa requirments ar, by design, communi\xc2\xad\ncated toprgr      sta in the agency adisterig the human sece progr. Therefore, the\nprogr agency becomes an intennediar with the centr ADP agency and must also attempt\nto encourge or assur its compliance.\n\nFederal Secur Guidance Has Limited Impact On States\n\nWhle al States were awar of the nee for computer securty and had securty progrs\nplace, computer securty effort vared signifcantly between the States visited. This is due to\nthe lack of common Federa guidace and monitorig, and mied levels of interest among the\nStates in computer seurty.\n\nFor example, the Famy Suppon Admstrtion (FSA) has securty           stada that must be ad\xc2\xad\ndrssed in plans for, and met in the certfication of, Famy Assistace Management Infonna\xc2\xad\ntion Systems (FAMS) which receive enhanced fundig. However, since 32 States are in the\n\x0cplanning or development stage and 10 States are not seeking such a system, most States\ncurntly not covered by these requirments. Securty requirments for non-enhanced              systems\nare   vialy non-existent in that they only speak to       protectig personal   data. The FSA per\xc2\xad\nforms some    ad hoc \n   reviews of securty by   fundig ADP audits conducted by outside consult\xc2\xad\nants where vulerabilties are suspected.\n\nThe HCFA has MMIS securty stadads, and these ar regularly reviewed. However, since\nmost MMs ar contrcted to private agencies, the reviews rarly include the State systems.\nAlso the gudace to regional offces, which conduct these reviews, focuses primarly on\nclai    proessing and      miy     on eligibilty systems. Addtionally, in the most recent\nreviews for 8 of 12 States in this study, computer securty stadads were documented\n deemed met, " meang they were not actualy reviewed because they had been met in an ear\xc2\xad\nlier review.\n\nThe USDA/S issued a comprhensive computer securty guide to State agencies in\nFebruar 1986 as a follow-up to the USDA/O\' s review of computer securty in 13 States.\nThs guide, however, does not have the force of law and has largely ben implemented and\nmonitore by corrspondence.\n\n\n\nThe SSA had a requirment                        for each State receiving BEND EX data to\n                                unti September 1986\nhave a secmity offcer and a wrttn, comprehensive seurty plan which was     to be submined\nto SSA. However, it appear that SSA has not implemented these securty requirements, ac\xc2\xad\ncordig to the States visited in ths inspection.\n\nThe IRS\' \' \'Tax Inonnation Securty Ouidelines " now apply to State agencies because of the\nIEVS reuiment. Based upon Internal Revenue Cod reuirments to safeguard tax data,\nthey requi a self-assessment of data securty that includes a review of computer securty.\nStates report that the IRS requiments ar inappropriate and burnsome for the puroses of\nIEVS. A few States reponed that they wi use a libera interpretation of the IRS guidelines\nunti " caught.\n\nAudits by the USDA/O and State legilative prssur appear to be the major factors influenc\xc2\xad\ning the development of State securty      progr.\n                                               States without such inuence had less or\xc2\xad\nganze securty        progr.For example, only 4 of the 12 States have a peonnel securty\ncomponent to the computer secmity        prgrs.\n                                             (peronnel securty is a madated component\nof Federa computer securty progrs. ) In each of these four instaces, personnel securty\n\nwas intiated as par of the corrective     action plan   resultig frm the USDA/O audits.\nOnly two States did fonnal risk analyses on their systems; in both instaces they were man\xc2\xad\ndated by the State legislatus. Two State legislatus madated the formt of the State com\xc2\xad\nputer seurty plan. As one centr ADP          adtrtor   pointed out: " they (the State\nLegislatu) control our budget and our agencies \' budgets. We do what they tell us to do.\nThe most common computer secmity problem note by State ADP offcis was the lack of a\n\x0cmanagement commtment to securty. While this is not a problem unique to States or even the\npublic sector, legislative concern , in at least 2 of 12 States, appear to have assured a manage\xc2\xad\nment commtment.\n\nAn example of the limted effect of Federal guidace is the fact that 3 of the 12 States visited\nreported that they were unaware of any applicable Federal computer securty stadads.        All\nStates reported that they were unawar of the BENDEX requirments; ths is understandable\nsince it appear SSA never fonnally implemented them. A BENDEX computer securty re\xc2\xad\nquiment cals for States to have a Securty Action Plan (SAP) and to submit an annual\nevaluation of the SAP to SSA as a condition of receiving BENDEX and SDX data. Copies\nthe SAP and evaluations for each of the States visited were requested of SSA. The SSA has\nfaied to respond.\n\n\n\nAlthough eight States reported computer securty monitorig by HCFA, and four each by FNS\nand FSA, only four recaled findigs or recommendations resultig from this Federal monitor\xc2\xad\ning. The most commonly reported finding was the alady noted lack of personnel securty\nfound by the USDAlG. Other problems noted wer the lack of testing of contingency plans\nor the lack of risk analysis. Although States were most awar (8/12) of HCFA visits, only one\nnoted any reommendations resulting from HCFA monitog, a concern regarg the use of\nIEVS data A liely reason for the lack of fidigs resultig frm the HCFA monitoring is that\nHCFA did not always review computer securty durg its System Performce Review (SPR)\nmonitorig visits. For eight of the visited States, HCFA demed securty satisfactory and did\nnot review it since it had passed review in the past It should be noted here that while only\neight States reported HCFA monitorig visits, HCFA prouced monitorig report for al\nStates.\n\nWhen asked about problems with Federa semity gudace, only five States offered any com\xc2\xad\nments. One imort commnt was with regar to IRS\' gudace in the IEVS reguations.\nSeven States took strng exception to these reuiments as being too burnsome, as well as\ninapproriate to the IEVS use of IRS data One State offcial said, " If we had to handle and\nuse IRS data as IRS gudelies suggest, the use of IRS data would be unworkable. " Another\noffere \' \'Te IRS reuirments to destroy tape by cuttg the tape every so many inches, or to\nru IRS tapes, shut down the system, veri JCL and then resta the system cold are anti\xc2\xad\nquated and costly. " There have been , and contiue to be, effort by HHSI ASMB to balance\nIRS nee to assur that ta data is protected with States \' needs to implement IEVS in an eff\xc2\xad\ncient maner.\n\nWhen asked what they believed would be an appropriate Federa role, State agencies were vir\xc2\xad\ntualy unanus in their desir for assistace in this ara. The State agencies want a com\xc2\xad\nprehensive set of minimum stadas, common to al        progr,   and to have supportg\nguidace. In fact, it should be note that a number of States ar actively lookig for a com\xc2\xad\nputer semity stada and requested such guidace frm the inspection team States ar,\nhowever, split about how they would like to se the monitorig done. Whe half opted for\nmonitong site visits, the others preferr the submission of a rik or vulnerabilty assessment.\n(Some note that the lattr could be done by a State audit agency. ) The ASMB has issued a\n\x0c                                                " "\n\n\n\n\nproposed reguation that includes a common stadad for State computer securty on federaly\nfunded systems. It includes monitorig through the submission of vulnerabilty assessments.\nIt should be noted, however, that only two of the States visited did vulnerabilty   assessments\nand both were reluctat to shar them with    us voluntay.\nStats Have   Good Access Controls\n\nAccess contrls in   the form of passwords and ID numbers, termal identiers, and audit trls\nof persons who had used the system are th strngts of State seurty programs. VIrually all\nStates use access contrls to  lit    to their job responsibilties, employees abilty to crate or\nmod fies, and to keep a log of trsactions and system use. States report that their use of\ncontrls and audit   trs   have developed out of a long hitory of establishing eligibilty and\nauthorizig benefits thugh a deentrze operation. Thus, with the advent of automation it\nwas logical to build such controls intO their computer systems. Seven of the States use com\xc2\xad\nmercial access control softwar such as " RACF, ACF II, " or Top Sect, while the others\ndevelope their own.\n\nMore specifcaly, the access contrls vialy always consiste of both employee specific\npassword and an ID. The latter was often the employee Soc Securty number. Ten of the\nStates had proedurs for periodcaly changig password. Ths raged from every 3 months\nto a year. The IDs were used to limt the employees to spec termals, specifc cases\nand/or specifc   tys of trsactions.\nDespite the apparntly well-dsigned and implemented access control effort noted among the\nStates, a potenti vuerabilty to the protection of persona data was noted in a number of\nStates. This vuerabilty tok two form:\n\n      May States issue generic passwords for the query function. Ths is tyicaly       done for\n      persons in clerical or                          determne if a client has a record.\n                           reeptionist positions so they can\n      Whe ths pratice dos not dictly permt unauthorze persons access to view , print,\n      crate or   mod    client reor, it dos crate an   oppoty\n                                                            for access that is not easily\n      monitored. Oenerc password ar easily shad and thereby render personal data\n      vuerble to dilosur.\n      Many States ar intrucig, or incrasing the use of, personal computers which have\n      access to the client data bases. Such access, usualy crated for sta offices as opposed\n      to progr personnel, crates the opportty for the mas maipulation of, or\n      downoadg of, large quantities of data\n\n\nStats Need To Strengthen Security In Specif Areas\n\n\n\nWeakesses in State computer seurty can be doumented by the absence of some commonly\naccepted pratices. If one were to use OMB Cirular A- 130 (M anagemenr ofF ederall nforma\xc2\xad\n\x0c                the computer securty requirement applicable to Federal agencies) as a stad\xc2\xad\ntion Resources, \n\n\nard for evaluatig State computer securty progrs, a number of specific deficiencies could\nbe noted among the States visited.\n\n         The-quarers of the States did not have a specifc computer securty plan in place. The\n         OMB Circular A- 130 requirs a specific c\'omputer securty plan and the designation of\n         an individual to be responsible for the implementation of the plan. Only four States had\n         such proedurs in place. The others, when queried about computer security plans,\n         reportd that they relied on a varety of admistrative guidelines, had a plan that\n         adssed data securty or access controls only or had no plan but were developing one.\nThe Offce of lrspector Oenera in commentig on ASMB\' s proposed computer securty\ngudelies for federay fuded systems durng the in- house review period reommended that\none of the reuiments be for States to have one, comprehensive computer secmity plan.\n\n         Only the States had plans and monitorig      procedures     for computer security at remote\n         sites (State distrct   or county welfar offces).   While   Federa computer security\n         gudace strsses that securty must be system- wide (Le., including remote sites), States\n         in genera appear to leave remote site securty to the discrtion of local managers or\n         ADP sta. The access control system, in most instaces, is statewide by design, and\n         therefore, is in place at remote sites. These nie States ar providig local managers\n         with litte more than the access control maual. Two of these States report that they do\n         look at seurty durg monitoring visits but neither had stadads against which to\n         evaluate the securty at the local offces.\n\n         Only two States did vuerabilty assessments or risk analyses to evaluate their securty.\n         It should be noted that not only is a periodc risk analysis required on Federal computer\n         systems, but the prpose ASMB computer securty reuirments for States wil require\n         a risk assessment. As noted earlier, the two States that did risk assessments did so at the\n         dition of their State legislatus. A possible implementation problem for the ASMB\n         reguation is that both States were reluctat to shar those report with us on a voluntar\n         basis. However, most State computer systems had been reviewed by outside agencies\n         such as " Big 8 CPA"     fi or State auditors.\n\n         Eight States did not do personnel securty backgrund checks. Background checks are             a\n         stada reuiment for Fedra employment and peonnel securty is a mandated\n         component of Fedra computer securty. The dicussions with States revealed that the\n         idea of background checks for persons who had access to computers was never really\n         considered. In fact, the four that do perform backgrund checks do so in response to the\n         USDA/O audits.\n\n         Contigency plans generay exist on paper in the form of a proposal to move into and\n         shar another agency s facilty. Only the plans have ben tested.\n\x0c                                RECOMMENDATIONS\n\n\nThe most signficant findig of this inspection is the lack of common, Federal stadards for\nStates to meet with regar to securty on their federally funded computer systems. The\nHHS/ASMB issued on Sepiember 21, 1987 a Notice of Prposed Rulemakg - " Automatic\nData Processing Equipment and Services; Conditions for Federal Financial Parcipation. "\nThe NPRM, among other things, wil establish such stadas. Durg the process of develop\xc2\xad\ning the stada, 010 made recommendations to strengten them based upon the experience\ngained in conducting ths inspection.\n\nThe recommendations included:\n\n     Modyig the NPRM to spcifcally reui          that the States have a single securty plan.\n\n     Addng a requirment for review of data securty in addtion to physical securty\n     reviews.\n\n     Establishing a clearly defined relationship between generic securty requirements and\n     progr-specific requirments.\n\n\n\nThe recommendations listed above were incorprate into the NPRM. It should also be noted\nthat USDA is in the proess of developing a companion securty reguation for its grantees.\n\nWe recommend that the HHS common computer seurty        stada be issued in final, with the\nrequiement for risk analyses.\n\nReview and follow-up proedurs wil nee to be establihed in ordr to properly monitor im\xc2\xad\nplementation of thestada.     The 010 will monitor implementation of the stadas to deter\xc2\xad\nmie their effectiveness in adssing the aras of concern highlghted by ths report.\n\x0c                                AGENCY COMMENTS\n\n\nSubstative comments on the draf report were received frm ASMB and FSA within HHS\nand from the Foo and Nutrtion Servce (FS) and the Inspector Genera at USDA.\n\nThe HHS/ASMB reported that lead responsibilty for State ADP systems had been trsferred\nfrom ASMB to FSA, and that FSA was now in the proess of finalizig the computer securty\nregulations for States receivig Federal funds. FSA report that the final regulations wil soon\ngo thugh fial Deparenta clearce.\n\nThe USDA/S reportd that on August 8, 1988 they issued an NPRM establishing minimum\ncomputer securty requiments for State and local agencies adisterig Foo Stap\nPrgrs.     Our analysis of these reguations indicates that they are viraly identical to the\nHHS reguations. The USDA/O suggested that responsibilty for assurg and monitorig\ncomplice with the regUations be assigned. The USDA reguations note that FNS wil be\nresponsible for assurg compliance; FSA wi assume that responsibilty withn HHS. They\nwil be using either the requi securty reviews or the corrctive action plans as the prima\nmeans for monitoring complice.\n\x0c'